Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues In Mobile IP

Published byClaire Saunders Modified over 10 years ago

Similar presentations

Presentation on theme: "Security Issues In Mobile IP"— Presentation transcript:

1 Security Issues In Mobile IP
Zhang Chao Tsinghua University Electronic Engineering

2 OUTLINE 1.Introduction 2.Typical threats
3. Mobile IPv6 and new threats 4.Open issues

3 OUTLINE 1.Introduction 2.Typical threats
3. Mobile IPv6 and new threats 4.Open issues

4 What is Mobile IP? Mobile IP is a protocol developed by IETF, aimed to solve the mobility problem of network node. Mobile IP enables a wireless network node to move freely from one point of connection to the Internet to another, without disrupting the TCP end-to-end connectivity.

5 How Mobile IP works? When an MN moves from home link to a foreign link, it acquires an IP address from the FA, namely CoA. It also keeps its own Home address. Registration, MN tells HA its new CoA, . All the packets aimed to MN from CN will be sent to MN’s HA with the original home address, and HA will forward them according to CoA of MN with tunneling.

6 OUTLINE 1.Introduction 2.Typical threats
3. Mobile IPv6 and new threats 4.Open issues

7 DoS attack When a bad guy send fake registration request to HA, using its own address as CoA, 1.the attacker will receive all the packets belongs to MN 2.all the connection to the MN will fail

8 Solution to DoS Mobile IP requires all the registration message between MN and HA should be under strict authentication. “Keyed MD5” as the default authentication algorithm , symmetrical key algorithm . MN and HA negotiate the same secret key before registration, and use it to produce a 16 bit message digest. The HA will check whether the digest received equals to the digest calculated by itself.

9 Replay Attack Bad guy saves the old valid registration message of MN, and re-send it to HA. Then the HA will forward packets to the old CoA, rather than the new allocated CoA of MN. Solution:Identification Domain in registration messages Time Stamp Nonces

10 DoS attack from MN A malicious MN could lie about its CoA and in this way mount a DoS attack against another node in the Internet. The cheated HA will wrongly direct the traffic to the victim node. However , such an attack is easy to traced since the MN must use its own Security Association information.

11 TCP-Syn Flooding Bad guy uses fake IP addresses to send TCP-syn packets, occupies the resources of the systems that open TCP service. TCP-Syn flooding cannot be totally solved unless the TCP protocol be re-designed. Mobile IP usually uses Ingress Filtering to control the access to relieve the Flooding. However, it means that the assumption of Mobile IP “Routing is independent on Source Address ” fails. Some adaptations: Use care-of address as source address ( Mobile IPv6) Tunnel reverse

12 OUTLINE 1.Introduction 2.Typical threats
3. Mobile IPv6 and new threats 4.Open issues

13 Mobile IPv6 MN select CoA itself, no need for FA Binding Update
Binging Acknowledge Corresponding Node want to communicate with MN, request sent to HA then forward to MN MN reply with the new CoA information CN binding the CoA to HA MN can directly communicate with CN, without a triangular routing.

14 Security of Mobile IPv6 Using extension header No FA
The process that CN receive the Binding Update information is vital :possible to be attacked Some generic security problems, but not specific for Mobile IPv6.

15 Threats against Mobile IPv6(1)
If the attacker know the Home Address of the MN, it can send a fake Binding Update to CN, directing the connection to itself.

16 Threats against Mobile IPv6 (2)
Attacker using BU message to direct flooding packets to the victim node.

17 Threats against Mobile IPv6(3)
When attacker is on the route between MN and CN, it can modify the BU messages to mount inter-person attacks.

18 Threats against Mobile IPv6(4)
Attacker sends millions of fake BU message to CN and HA, to occupy the storage and CPU.

19 Solutions These threats all lead from the fact that CN cannot authenticate or understand Binding Update messages, and can be solved by Authentication mechanism. When the MN and CN share the same Security Authority, IPSEC can be deployed to authenticate. In practical situation, MN and CN usually do not have the same SA, Return Routability Procedure

20 RRP mechanism Return Routability Procedure: authenticate the CoA and HA belongs to the same MN.

21 Mobile IPv4 versus Mobile IPv6
Triangular routing, CN cannot understand the BU message Routing Optimization, RRP provide protection for BU messages between MN and CN even not share the same Security Authority When use Ingress Filtering to defeat DoS attack , Reverse Tunneling should be deployed to make sure the packets sent by CN can reach the MN When use Ingress Filtering to defeat DoS attack, no need for Reverse Tunneling Better coexistence with the Ingress Filtering policy Address Resolution Protocol, easily to be attacked. Using Neighbor Discovery Protocol ,better robustness and security. Foreign Agent , a potential threat No FA

22 OUTLINE 1.Introduction 2.Typical threats
3. Mobile IPv6 and new threats 4.Open issues

23 Open issues Location Privacy of MN
--no mechanism existed in Mobile IP specifications to fix it, usually solved by Bi-directional tunneling. Protection of the MN-CN signaling --IPSEC , costly and relies on a public key infrastructure --Purpose-Built Keys (PBK), still under research --Cryptographically Generated Address (CGA), complementary to RRP, but costly

24 Thank You !

Download ppt "Security Issues In Mobile IP"

Similar presentations

Mobile IP.. 45-7028-115-6. How Mobile IP Works? Agenda What problems does Mobile IP solve? Mobile IP: protocol overview Scope Requirements Design goals.

Mobile IP How Mobile IP Works? Agenda What problems does Mobile IP solve? Mobile IP: protocol overview Scope Requirements Design goals.
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Mobile Networking through Mobile IP

Mobile Networking through Mobile IP
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
IPv6 Mobility Support Henrik Petander

IPv6 Mobility Support Henrik Petander
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Christophe Jelger – CS221 Network and Security - Universität Basel - 20051 Christophe Jelger Post-doctoral researcher IP Multicasting.

Christophe Jelger – CS221 Network and Security - Universität Basel Christophe Jelger Post-doctoral researcher IP Multicasting.
INTRODUCTION WIRELESS TECHNOLOGY BECOMING HOTTER WIRELESS TECHNOLOGY BECOMING HOTTER TRANSITION TOWARDS MOBILITY OVER PAST 20 YEARS TRANSITION TOWARDS.

INTRODUCTION WIRELESS TECHNOLOGY BECOMING HOTTER WIRELESS TECHNOLOGY BECOMING HOTTER TRANSITION TOWARDS MOBILITY OVER PAST 20 YEARS TRANSITION TOWARDS.
4/1/2017 Wireless Mobile IP CCRI ENGR 1500 CCRI J. Bernardini.

4/1/2017 Wireless Mobile IP CCRI ENGR 1500 CCRI J. Bernardini.
Mobile Communications-Network Protocols/Mobile IP

Mobile Communications-Network Protocols/Mobile IP
IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.

IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack.

Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:

Similar presentations

Ads by Google